Offering for clients the usage of the best commercial penetration testing tools available on the market (many expensive pentesting tools' licenses are already owned). It previously resulted in winning government contract bids.

Experience consists of 26 years of exposure in computers and networks, 19 years in information security / assurance, 15 years in information system (IS) security auditing, 13 years in project management, 13 years in penetration testing and vulnerability assessment, 13 years in application security, 13 years supporting government clients (DoD/ANGB, DSS, DISA, DHHS/FDA, PSC, DoL/ESA, DoS/CA, DHS/FEMA, TSA, DoED, FHFA, LOC, USAID), and 5 years in supporting commercial companies in telecommunication, financial services and banking industry, including banking applications Information Systems (IS) security audits. Education includes ~40 IT certifications, 100+ courses, a Master Degree in Geography (1990), and a second Master Degree in Information Security (2004).

AFFILIATIONS: ACFEI – member of the American College of Forensic Examiners International (www.acfei.com) CSI – member of the Computer Security Institute (www.gocsi.com) IEEE – member of the Institute of Electrical and Electronics Engineers (www.ieee.org) IIA – member of the Institute of Internal Auditors (www.theiia.org) ISACA – member of the Information Systems Audit and Control Association (www.isaca.org) ISSA – member of the Information Systems Security Association (www.issa.org) NAGC – member of the National Association of Government Contractors (web.governmentcontractors.org) NBISE OST – member of the National Board of Information Security Examiners’ Operational Security Testing Panel (https://www.nbise.org/home/about-us/governance/ostp) NoVaH – member of the Northern Virginia Hackers, DC InfoSec Group (http://novahackers.blogspot.com) OWASP – member of the Open Web Application Security Project (OWASP) Northern Virginia Chapter (https://www.owasp.org/index.php/Virginia) and Washington DC Chapter (https://www.owasp.org/index.php/Washington_DC)

Principal Information Security Engineer

Start Date: 2004-11-01End Date: 2006-09-01

• Performed as a principal information security engineer and an INFOSEC principal subject matter expert to the CA ISSO in a multidisciplinary team environment. • Served as Certification and Accreditation (C&A) certifier for Bureau of Consular Affairs. • Leveraged security consultation expertise and findings to design, and deliver new IT services of customized CA business systems so as to ensure that they exceed DoS security requirements in a cost-effective manner. • Served as lead engineer for NG's CA Risk Management (ST3) and System Security Integration Support (ST6) sub-tasks contract with primary responsibility for all aspects of project planning and management. • Supervised the security engineering team in daily security tasks such as vulnerability assessment and patch discovery, testing, implementation, and monitoring in the entire State Dept. Bureau of Consular Affairs. • Created additional technical positions in his security engineering team, billable to the federal contract. • Performed "hands-on" laboratory analyses, security assessments, penetration testing, document evaluation findings, and provided recommendations to government management, team members, and contractors. • Developed and coordinated related project lifecycle security engineering processes and documentation. • Completed vulnerability assessment analysis of CA's Major Applications and General Support Systems. • Defined information security strategy, briefed CA management and system administrators about the vulnerability assessment reports, presented and prioritized options for risk mitigation. • Completed the vulnerability assessments, penetration testing, IT audit, and risk assessment framework on thousands computers, using a variety of automated tools (BTK, MBSA, Harris STAT, Nessus, and AppDetective) as well as manual review and testing of security configurations that include, but are not limited to Windows 2003/2000/NT Server, Windows XP/2000Pro/NT workstation, IIS 6/5/4, SQL Server 2005/2000/7, and Oracle 8i/9i R2/10g RDBMS. • Advised DoS and CA Patch Management groups to enhance methodology and procedures of implementing Microsoft and other vendors' security patches. • Provided technical services for network security monitoring support focusing on server and workstation security. • Reported weekly to the CA ISSO about vulnerability assessment and mitigation activities. • Reviewed information security controls to help provide effective, efficient and secure access to information within operating systems, databases, and applications. • Worked independently on new business development opportunities and on the scope of prospective engagements, wrote, developed and delivered proposals. • Lead technical efforts to research and evaluate new security-related technologies, security vendor offerings, and integrated any appropriate products aimed at reducing the risk to CA's network environment; it resulted in several new products being added to CA's software baseline that are currently in use. • Analyzed and decomposed government customer needs and requirements to identify appropriate solutions. • Lead analysis and planning for standing up new Harris STAT vulnerability assessment and monitoring security architecture and compliance with the Department's and Bureau's information security policies and procedures. • Analyzed existing network infrastructures and provide recommendations to government managers to ensure secure communication of sensitive data and to reduce threats to the DoS SBU network. • Evaluated DoS Diplomatic Security (DS) Windows and Database Security Configuration guides. • Interfaced with the various customers, government management, and projects stakeholders within Consular Affairs and DoS in order to successfully integrate recommended solutions into the existing infrastructure.

Penetration Tester/Auditor

Start Date: 2013-07-01End Date: 2015-03-01

July 2013 - March 2015 - Part-time, remote telework at United States Agency for International Development (USAID) through contract with Open System Sciences of Virginia (OSS) as an independent sub-contractor on project through own company - Yarekx IT Consulting LLC; Newington, VA - Penetration Tester/Auditor. • Conducted remote web application security vulnerability and penetration testing (automated and manual) against huge Internet commercial applications (10,000 web pages) based in the U.S., Europe, and Asia. • Analyzed scans results, manually verified each security vulnerability to avoid reporting false positive issues. • Wrote very detail reports of findings and suggested remediation step-by-step procedures. • Presented to executives/developers web applications security vulnerabilities as defined by OWASP Top 10.

Principal Security Auditor

Start Date: 2007-09-01End Date: 2007-09-01

September 2007 - September 2007 - U.S. Nuclear Regulatory Commission (NRC) through contract with Eagle Ray - an independent sub-contractor on project through own company - Yarekx IT Consulting LLC; Chantilly, VA - Principal Security Auditor • Edited technical aspects of the contract proposal for Certification and Accreditation (C&A) activities and IT security audit for U.S. Nuclear Regulatory Commission.

Principal Security Tester / Information Systems (IS) Security Auditor

Start Date: 2006-09-01End Date: 2007-01-01

September 2006 - January 2007 - Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA), Corporate Lodging Consultants (CLC) through contract with Knowledge Consulting Group (KCG) - an independent sub-contractor on short-term project through own company - Yarekx IT Consulting LLC; Reston, VA - Principal Security Tester / Information Systems (IS) Security Auditor • Supported the full cycle of the Certification and Accreditation (C&A) process as a principal security tester. • Acted as a principal subject matter expert (SME) and advised on any security-related issue. • Developed and conducted Security Testing and Evaluation (ST&E) plan, which included the identification of system boundaries, the system requirements, test objectives, testing methods, the test scenario, the test procedures, and the expected results. • Reviewed the minimum security checklist with Security Requirements Traceability Matrix (SRTM). • Performed vulnerability assessment scanning, penetration testing, ethical hacking, and PCI audit on hundreds devices according to Rules of Engagement document using a variety of COTS and open source security tools. • Conducted Vulnerability Assessments (VA) and IT audit on various types of networks, systems, applications and OS, such as Windows, Sun Solaris 9, Linux Slackware, Cisco IOS 12.x, SQL 2000, Oracle 8i/9i, Apache 1.3, Exchange 2000, and Linksys WAP, using CIS, Harris STAT, Nessus, and WebInspect tools. • Examined output from vulnerability assessments and translated its technical jargon into plain language of concepts and suggested remediation strategies. • Conducted IT Risk Assessments (RA), described risk sources and provided recommended countermeasures to reduce risk to an acceptable and manageable level. • Presented advice and implemented changes in network and host architecture within enterprise. • Worked closely with the system, web, and database administrators to assist them with the security mitigation. • Completed system reviews to ensure group-level policies are in compliance with Security Best Practices. • Assisted with development of the IT security policies and procedures for conducting certifications. • Helped with translation of government directives into client's policy and procedural documentation. • Assisted in designing and implementing security products such as intrusion detection systems (IDS), patch management systems, firewalls, and antivirus using cost effective and quality approach. • Reviewed security plans and procedures concerning all aspects of LAN and WAN. • Supported in development and implementation of a technical audit program. • Developed and presented finding analysis reports to all levels within client's enterprise.

Principal Security Tester / Information Systems (IS) Security Auditor

Start Date: 2006-09-01End Date: 2007-01-01

• Supported the full cycle of the Certification and Accreditation (C&A) process as a principal security tester. • Acted as a principal subject matter expert (SME) and advised on any security-related issue. • Developed and conducted Security Testing and Evaluation (ST&E) plan, which included the identification of system boundaries, the system requirements, test objectives, testing methods, the test scenario, the test procedures, and the expected results. • Reviewed the minimum security checklist with Security Requirements Traceability Matrix (SRTM). • Performed vulnerability assessment scanning, penetration testing, ethical hacking, and PCI audit on hundreds devices according to Rules of Engagement document using a variety of COTS and open source security tools. • Conducted Vulnerability Assessments (VA) and IT audit on various types of networks, systems, applications and OS, such as Windows XP/2000/2003, Sun Solaris 9, Linux Slackware, Cisco IOS 12.x, SQL 2000, Oracle 8i/9i, Apache 1.3, Exchange 2000, and Linksys WAP, using CIS, Harris STAT, Nessus, and WebInspect tools. • Examined output from vulnerability assessments and translated its technical jargon into plain language of concepts and suggested remediation strategies. • Conducted IT Risk Assessments (RA), described risk sources and provided recommended countermeasures to reduce risk to an acceptable and manageable level. • Presented advice and implemented changes in network and host architecture within enterprise. • Worked closely with the system, web, and database administrators to assist them with the security mitigation. • Completed system reviews to ensure group-level policies are in compliance with Security Best Practices. • Assisted with development of the IT security policies and procedures for conducting certifications. • Helped with translation of government directives into client's policy and procedural documentation. • Assisted in designing and implementing security products such as intrusion detection systems (IDS), patch management systems, firewalls, and antivirus using cost effective and quality approach. • Reviewed security plans and procedures concerning all aspects of LAN and WAN. • Supported in development and implementation of a technical audit program. • Developed and presented finding analysis reports to all levels within client's enterprise.